US12348499B2ActiveUtilityA1

Secure collaboration with file encryption on download

82
Assignee: MICROSOFT TECHNOLOGY LICENSING LLCPriority: Feb 23, 2022Filed: Feb 23, 2022Granted: Jul 1, 2025
Est. expiryFeb 23, 2042(~15.6 yrs left)· nominal 20-yr term from priority
G06F 21/6209G06F 2221/2147G06F 2221/2141H04L 63/20H04L 63/102H04L 63/0428H04L 63/0435
82
PatentIndex Score
4
Cited by
25
References
17
Claims

Abstract

The techniques disclosed herein enable systems to manage remote file storage systems while bolstering information security through file encryption on download and permissions labels. To achieve this, a site owner configures permissions for a network site that stores files and that enables encryption on download. Various users with file access via the permissions may then interact with the site. When a user downloads a file from the site, they receive an encrypted copy that includes a permissions label that synchronizes with the network site permissions. When a user attempts to interact with an encrypted file the permissions label is used by the system to determine whether the user is authorized to access the file. In addition, permissions that are changed at the network site can be propagated to downloaded encrypted copies. In this way, permissions can be enforced for all site files even when copies leave the network site.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A system comprising:
 one or more processing units; and 
 a computer-readable medium having encoded thereon computer-readable instructions that when executed by the one or more processing units causes the system to:
 store a file at a collaborative network site; 
 configure the file with one or more permissions defined by an administrative entity associated with the collaborative network site; 
 grant a plurality of users access to the file according to the one or more permissions; 
 receive a download request for the file from a computing device associated with a user of the plurality of users; 
 transmit an encrypted file comprising the file and a permissions label associated with the user to the computing device in response to receiving the download request; 
 receive, from another collaborative network site, a permissions query that includes an identification for another user requesting to download the encrypted file which has been uploaded to the other collaborative network site; 
 compare the identification for the other user to the one or more permissions for which the file is configured; 
 determine, based on the comparing, that the other user is not included in the plurality of users that have been granted access to the file; and 
 prevent access to the encrypted file for the other user based on the determining. 
 
 
     
     
       2. The system of  claim 1 , wherein the encrypted file includes a publishing license comprising data defining the collaborative network site of the encrypted file, the publishing license configured to implement a synchronization between the permissions label in the encrypted file and the one or more permissions configured for the file at the collaborative network site. 
     
     
       3. The system of  claim 1 , wherein the permissions label includes one or more of a read permission, an edit permission, or a full control permission for the user. 
     
     
       4. The system of  claim 1 , wherein the computer-readable instructions further cause the system to:
 delete the collaborative network site in response to a deletion command from the administrative entity; and 
 revoke access to the file for the plurality of users in response to the deletion of the collaborative network site. 
 
     
     
       5. The system of  claim 1 , wherein the computer-readable instructions further cause the system to:
 receive an access request from the computing device of the user to access the encrypted file, wherein the access request includes one or more permissions extracted from the permissions label included in the encrypted file previously transmitted to the computing device; 
 compare the one or more extracted permissions from the encrypted file to the one or more permissions configured for the file at the collaborative network site; 
 detect a mismatch between the one or more extracted permissions from the encrypted file and the one or more permissions configured for the file at the collaborative network site; and 
 restrict access to the encrypted file for the user in response to detecting the mismatch. 
 
     
     
       6. The system of  claim 5 , wherein a permission update modifies the one or more permissions configured for the file at the collaborative network site, the modification of the one or more permissions configured for the file at the collaborative network site causing the mismatch between the one or more extracted permissions from the encrypted file and the one or more permissions configured for the file at the collaborative network site. 
     
     
       7. A computer-readable storage medium having encoded thereon, computer-readable instructions that when executed by one or more processing units cause a system to:
 store a file at a collaborative network site; 
 configure the file with one or more permissions defined by an administrative entity associated with the collaborative network site; 
 grant a plurality of users access to the file according to the one or more permissions; 
 receive a download request for the file from a computing device associated with a user of the plurality of users; 
 transmit an encrypted file comprising the file and a permissions label associated with the user to the computing device in response to receiving the download request; 
 receive, from another collaborative network site, a permissions query that includes an identification for another user requesting to download the encrypted file which has been uploaded to the other collaborative network site; 
 compare the identification for the other user to the one or more permissions for which the file is configured; 
 determine, based on the comparing, that the other user is not included in the plurality of users that have been granted access to the file; and 
 prevent access to the encrypted file for the other user based on the determining. 
 
     
     
       8. The computer-readable storage medium of  claim 7 , wherein the encrypted file includes a publishing license comprising data defining the collaborative network site of the encrypted file, the publishing license configured to implement a synchronization between the permissions label in the encrypted file and the one or more permissions configured for the file at the collaborative network site. 
     
     
       9. The computer-readable storage medium of  claim 7 , wherein the permissions label includes one or more of a read permission, an edit permission, or a full control permission for the user. 
     
     
       10. The computer-readable storage medium of  claim 7 , wherein the computer-readable instructions further cause the system to:
 receive an access request from the computing device of the user to access the encrypted file, wherein the access request includes one or more permissions extracted from the permissions label included in the encrypted file previously transmitted to the computing device; 
 compare the one or more extracted permissions from the encrypted file to the one or more permissions configured for the file at the collaborative network site; 
 detect a mismatch between the one or more extracted permissions from the encrypted file and the one or more permissions configured for the file at the collaborative network site; and 
 restrict access to the encrypted file for the user in response to detecting the mismatch. 
 
     
     
       11. The computer-readable storage medium of  claim 10 , wherein a permission update modifies the one or more permissions configured for the file at the collaborative network site, the modification of the one or more permissions configured for the file at the collaborative network site causing the mismatch between the one or more extracted permissions from the encrypted file and the one or more permissions configured for the file at the collaborative network site. 
     
     
       12. A method comprising:
 storing a file at a collaborative network site; 
 configuring the file with one or more permissions defined by an administrative entity associated with the collaborative network site; 
 granting a plurality of users access to the file according to the one or more permissions; 
 receiving a download request for the file from a computing device associated with a user of the plurality of users; 
 transmitting an encrypted file comprising the file and a permissions label associated with the user to the computing device in response to receiving the download request; 
 receiving, from another collaborative network site, a permissions query that includes an identification for another user requesting to download the encrypted file which has been uploaded to the other collaborative network site; 
 comparing the identification for the other user to the one or more permissions for which the file is configured; 
 determining, based on the comparing, that the other user is not included in the plurality of users that have been granted access to the file; and 
 preventing access to the encrypted file for the other user based on the determining. 
 
     
     
       13. The method of  claim 12 , wherein the encrypted file includes a publishing license comprising data defining the collaborative network site of the encrypted file, the publishing license configured to implement a synchronization between the permissions label in the encrypted file and the one or more permissions configured for the file at the collaborative network site. 
     
     
       14. The method of  claim 12 , wherein the permissions label includes one or more of a read permission, an edit permission, or a full control permission for the user. 
     
     
       15. The method of  claim 12 , further comprising:
 deleting the collaborative network site in response to a deletion command from the administrative entity; and 
 revoking access to the file for the plurality of users in response to the deletion of the collaborative network site. 
 
     
     
       16. The method of  claim 12 , further comprising:
 receiving an access request from the computing device of the user to access the encrypted file, wherein the access request includes one or more permissions extracted from the permissions label included in the encrypted file previously transmitted to the computing device; 
 comparing the one or more extracted permissions from the encrypted file to the one or more permissions configured for the file at the collaborative network site; 
 detecting a mismatch between the one or more extracted permissions from the encrypted file and the one or more permissions configured for the file at the collaborative network site; and 
 restricting access to the encrypted file for the user in response to detecting the mismatch. 
 
     
     
       17. The method of  claim 16 , wherein a permission update modifies the one or more permissions configured for the file at the collaborative network site, the modification of the one or more permissions configured for the file at the collaborative network site causing the mismatch between the one or more extracted permissions from the encrypted file and the one or more permissions configured for the file at the collaborative network site.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.